Prior to the terrorist attacks of September 11, 2001, the term “vulnerability assessment” was often used in relation to risk and system safety (Einarsson and Rausand, 1998). Concern about intentional threats was limited largely to the field of information security (e.g., Denning, 1999). Following September 11, however, there has been an increased emphasis on vulnerability to security threats from intelligent adversaries in all critical infrastructure systems, including electric power networks.

The United States created the Office of Homeland Security and the Homeland Security Council in 2001, which later led to the creation of the US Department of Homeland Security (DHS) in 2002. The first strategic document on homeland security, The National Strategy for Homeland Security (Bush, 2002), defined three strategic objectives: to prevent terrorist attacks against homeland targets, to reduce vulnerability to terrorism, and to minimize damage and recover from attacks. These three objectives roughly correspond to threat, vulnerability, and consequence.

In 2003, the DHS published The National Strategy for the Physical Protection of Critical Infrastructures and Key Assets (DHS, 2003), a guide to the protection of critical ...